article

Hello Infiltrators - Our Doors are Wide Open

In the 1946 classic ‘Hair Raising Hare,’ Bugs Bunny asks, ‘Have you ever have the feeling you were being watched? Like the eyes of strange things are upon you?’ Like Bugs often did, he breaks the fourth wall and involves the audience directly, invoking a feeling that someone is looking over your shoulder.

Today, it is likely the case that you are being watched by the strange (internet of) things that are starting to infiltrate our homes, cars, bodies and the whole of society. While there is a mad rush by people purchasing these things and a similar rush for companies to develop applications and services around those, many are not pausing to either understand the risks or build security into the products.

Might as well start with our dwellings. Security researchers at Rapid7 found flaws in in Comcast’s Xfinity Home Security system that would cause it to falsely report that the home’s windows and doors are closed and secured even if they’ve been opened. It also failed to detect an intruder’s motion inside the house. Attacking the system’s communications protocol, they used radio jamming equipment to block the signals that pass from the door, window, or motion sensor to the home’s baseband hub. The system didn’t notice the communication was breached and essentially, failed open without any alert to the owner. When the jammers were turned off, it took minutes to hours for the sensors to reconnect and still didn’t give any indication that a catastrophe could have occurred.

Next, to some of the things inside the insecure house. Experts are predicting that as more connected, smart-TVs enter the home, this will be an avenue for the bad guys to breach your home network. Almost half of U.S. households already have a smart-TV and close to 70% of the sets sold this year will have connectivity capabilities. A threat researcher with Symantec was able to infect his new Andriod-based smart-tele with some ransomware. Within a few seconds, the TV was locked and unusable with the fear inducing pay-up-pop-up ransom note.

Also giving outsiders a view of the inside, Princeton researchers found that certain IoT thermostats were leaking customer zip codes over the internet in clear text. Fortunately, when the manufacturer was notified they quickly issued a patch. There are many horror stories about strangers watching and talking to children via insecure baby monitors. Add to that, toys that record your kid's conversations puts the whole family at risk.

And out on the road, we’ve seen how researchers were able to control a Jeep and last week, researchers were able to remotely control any of the Nissan Leaf’s functions by using the mobile app’s insecure APIs. The unsecured APIs allowed anyone who knows the VIN of a car to access non-critical features like climate control and battery charge management from anywhere on the Internet. Also, someone exploiting the unauthenticated APIs can see the car's estimated driving range. They too, pulled access to the app until they can properly secure the infrastructure and application that supports the mobile app.